After-queue integration

When "after-queue" integration is used and messages are forwarded to Kaspersky Security 8 for Linux Mail Server for scanning and then returned to the Postfix mail server, the following conditions must be satisfied:

• The filter must be configured to intercept messages from the Postfix mail server via socket-in. This socket is specified in the configuration file of the program at step 9 of the instructions below.
• The filter must forward messages to Scan Logic for scanning via the scanner socket. This socket is specified while running the initial configuration script.
• The filter must return messages to the Postfix mail server via socket-out. This socket is specified in the configuration file of the program at step 9 of the instructions below.

When Kaspersky Security 8 for Linux Mail Server is integrated with the Postfix mail server, socket-in may point only to a network socket; scanner and socket-out can point to a network socket or to a local socket.

To perform after-queue integration of Kaspersky Security 8 for Linux Mail Server with Postfix:

1. Open the configuration file main.cf.
2. Add the following strings to the end of the main.cf file:

   #klms-begin-afterqueue-filter

   content_filter = klms_postfix-afterqueue:$sock_postfix_format

   #klms-end-afterqueue-filter

   where $sock_postfix_format is the IP address and port number on which the filter listens for incoming connections, in the <IP address>:<port> format (for a network socket).

   Example: content_filter = klms_postfix-afterqueue:127.0.0.1:10025

3. Open the configuration file master.cf.
4. Add the following strings to the end of the master.cf file:
   • For an inet socket:

     #klms-begin-afterqueue-filter

     klms_postfix-afterqueue unix - - n - - smtp

     -o smtp_send_xforward_command=yes

     127.0.0.1:$forward_port inet n - n - - smtpd

     -o content_filter=

     -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

     -o smtpd_helo_restrictions=

     -o smtpd_client_restrictions=

     -o smtpd_sender_restrictions=

     -o smtpd_recipient_restrictions=permit_mynetworks,reject

     -o mynetworks=127.0.0.0/8,[::1]/128

     -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

     -o smtpd_tls_security_level=none

     -o message_size_limit=0

     #klms-end-afterqueue-filter

     where the 127.0.0.1:$forward_port inet n - n - - smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on $forward_port.

     Example: 127.0.0.1:10026 inet n - n - - smtpd

   • For a unix socket:

     #klms-begin-afterqueue-filter

     klms_postfix-afterqueue unix - - n - - smtp

     -o smtp_send_xforward_command=yes

     $unix_socket_name unix n - n - - smtpd

     -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

     -o smtpd_helo_restrictions=

     -o smtpd_client_restrictions=

     -o smtpd_sender_restrictions=

     -o smtpd_recipient_restrictions=permit_mynetworks,reject

     -o mynetworks=127.0.0.0/8,[::1]/128

     -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

     -o smtpd_tls_security_level=none

     -o message_size_limit=0

     #klms-end

     where the $unix_socket_name unix n - n - - smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on the $unix_socket_name unix socket.

     Example: ksmg_forward_sock unix n - n - - smtpd

5. Open the file /var/opt/kaspersky/klms/installer.dat (under Linux) or /var/db/kaspersky/klms/installer.dat (under FreeBSD).
6. Add the following lines to the file:

   POSTFIX_INTEGRATION_TYPE=afterqueue

   START_SMTP_PROXY=1

7. Open the file /etc/opt/kaspersky/klms/klms_filters.conf (under Linux) or /usr/local/etc/kaspersky/klms/klms_filters.conf (under FreeBSD).
8. Set the true value in the [global] section for theheader-guard setting.
9. In the [smtp_proxy] section, specify the following settings:

   socket-in=<IP address and port number> specified at Step 2 of the wizard for $sock_postfix_format

   socket-out=<IP address and port number> or <UNIX socket> specified at step 4 of the instructions for $forward_port or $unix_socket_name in the inet:<port>@<IP address> format (for a network socket) or unix:<path to the UNIX socket> (for a local socket).

   integration=afterqueue

   Example 1: socket-in=inet:[email protected] socket-out=inet:[email protected] integration=afterqueue Example 2: socket-in=inet:[email protected] socket-out=unix:/var/spool/postfix/public/ksmg_forward_sock integration=afterqueue

10. Restart the klms service.
11. Restart the Postfix mail server.